The CySA+ knowledge domains
Introduction
The new CompTIA Cybersecurity Analyst Certification (CySA+), exam code CS0-002, came into effect as of April 21, 2020, replacing the CySA+ exam (CS0-001). The new certification verifies that CySA+-certified professionals have the skills and knowledge required to deploy intelligence and threat detection techniques, analyze and interpret data, find and remediate vulnerabilities, suggest preventive measures and effectively respond and recover from the security incidents.
This article will detail the five knowledge domains of the CySA+ certification exam (CS0-002) and what material you can expect to be covered on the exam. Here is a breakdown.
CySA+ certification exam background
The CySA+ certification exam is divided into five general categories of knowledge domains:
| Domains | Exam percentage |
|---|---|
| 1.0 Threat and Vulnerability Management | 22% |
| 2.0 Software and Systems Security | 18% |
| 3.0 Security Operations and Monitoring | 25% |
| 4.0 Incident Response | 22% |
| 5.0 Compliance and Assessment | 13% |
| Total | 100% |
These five general categories of knowledge domains can be further broken down into smaller domains, but these will be explored in subsequent articles.
1.0 Threat and Vulnerability Management
Cyberthreats and vulnerabilities are continually proliferating and organizations are looking for solutions to enable greater cyber resilience. The first domain spells out everything about cybersecurity threats and vulnerabilities, including the importance of threat data and vulnerabilities, vulnerability management activities, vulnerability assessment tools, threats and vulnerabilities associated with specialized technologies (e.g., mobile or IoT), as well as threats and vulnerabilities in the cloud. The following sections list all the contents under this domain:
1.1 Explain the importance of threat data and intelligence
- Intelligence sources
- Confidence levels
- Indicator management
- Threat classification
- Threat actors
- Intelligence cycle
- Commodity malware
- Information sharing and analysis communities
1.2 Given a scenario, analyze the results of a network reconnaissance
- Attack frameworks
- Threat research
- Threat modeling methodologies
- Threat intelligence sharing with supported functions
1.3 Given a scenario, perform vulnerability management activities
- Vulnerability identification
- Validation
- Remediation/mitigation
- Scanning parameters and criteria
- Inhibitors to remediation
1.4 Given a scenario, analyze the output from common vulnerability assessment tools
- Web application scanner
- Infrastructure vulnerability scanner
- Software assessment tools and techniques
- Enumeration
- Wireless assessment tools
- Cloud infrastructure assessment tools
1.5 Explain the threats and vulnerabilities associated with specialized technology
- Mobile
- Internet of Things (IoT)
- Embedded
- Real-time operating system (RTOS)
- System-on-Chip (SoC)
- Field programmable gate array (FPGA)
- Physical access control
1.6 Explain the threats and vulnerabilities associated with operating in the cloud
- Cloud service models
- Cloud deployment models
- Function-as-a-Service (FaaS)/serverless architecture
- Infrastructure as code (IaC)
- An insecure application programming interface (API)
- Improper key management
- Unprotected storage
1.7 Given a scenario, implement controls to mitigate attacks and software vulnerabilities
- Attack types
- Vulnerabilities
2.0 Software and Systems Security
In organizations, software and systems security has the utmost importance because they ensure business continuity by avoiding data breaches. Corporate systems and software applications must be working even during and after the cyber incident, disaster or deliberate attempts.
In this domain, you will learn how to apply security solutions to systems and software, as well as hardware and software assurance best practices. Below are the details of each subdomain.
2.1 Given a scenario, apply security solutions for infrastructure management
- Cloud vs. on-premises
- Asset management
- Segmentation
- Network architecture
- Change management
- Virtualization
- Containerization
- Identity and access management
- Cloud access security broker (CASB)
- Honeypot
- Monitoring and logging
- Encryption
- Certificate management
- Active defense
2.2 Explain software assurance best practices
- Platforms
- Software development life cycle (SDLC) integration
- DevSecOps
- Software assessment methods
- Secure coding best practices
- Static analysis tools
- Dynamic analysis tools
- Formal methods for verification of critical software
- Service-oriented architecture
2.3 Explain hardware assurance best practices
- Hardware root of trust
- eFuse
- Unified Extensible Firmware Interface (UEFI)
- Trusted foundry
- Secure processing
- Anti-tamper
- Self-encrypting drive
- Trusted firmware updates
- Measured boot and attestation
- Bus encryption
3.0 Security Operations and Monitoring
Various security operations and monitoring activities are required to avoid penetrations and data breaches. For example, protection of emails, logs, networks and endpoints is always crucial. Security professionals recommend several security solutions to achieve this goal, including implementing firewalls, strengthening permissions, IPS, IDS, EDR and so on.
Threat hunting is also an effective security solution for use in Security Operation Centers (SOCs) today, as it involves a proactive approach towards cyberthreats and attacks, and works before the occurrence of the incident rather than the reactive approach that executes in the aftermath of an incident. Moreover, this domain also elaborates the concept of automation that automates various manual and mundane tasks and fills the cybersecurity skills gap.
Let’s explore the content of this domain in more detail.
3.1 Given a scenario, analyze data as part of security monitoring activities
- Heuristics
- Trend analysis
- Endpoint
- Network
- Log review
- Impact analysis
- Security information and event
- Management (SIEM) review
- Query writing
- Email analysis
3.2 Given a scenario, implement configuration changes to existing controls to improve security
- Permissions
- Whitelisting
- Blacklisting
- Firewall
- Intrusion prevention system (IPS) rules
- Data loss prevention (DLP)
- Endpoint detection and response (EDR)
- Network access control (NAC)
- Sinkholing
- Malware signatures
- Sandboxing
- Port security
3.3 Explain the importance of proactive threat hunting.
- Establishing a hypothesis
- Profiling threat actors and activities
- Threat hunting tactics
- Reducing the attack surface area
- Bundling critical assets
- Attack vectors
- Integrated intelligence
- Improving detection capabilities
3.4 Compare and contrast automation concepts and technologies
- Workflow orchestration
- Scripting
- Application Programming Interface (API) integration
- Automated malware signature creation
- Data enrichment
- Threat feed combination
- Machine learning
- Use of automation protocols and standards
- Continuous integration
- Continuous deployment/delivery
4.0 Incident Response
A cyber incident is an event that could trigger a loss, prevent business continuity and put an end to corporate functions, services or operations. To avoid this situation, enterprises seek to deploy Incident Response Process (IRP) in a SOC.
This domain helps students gain insights into the importance of incident response process, incident response procedures, ways to analyze Indicators of Compromise (IoCs) and the use of digital forensics techniques. Below is a list of the subdomains.
4.1 Explain the importance of the incident response process
- Communication plan
- Response coordination with relevant entities
- Factors contributing to data criticality
4.2 Given a scenario, apply the appropriate incident response procedure
- Preparation
- Detection and analysis
- Containment
- Eradication and recovery
- Post-incident activities
4.3 Given an incident, analyze potential indicators of compromise
- Network-related
- Host-related
- Application-related
4.4 Given a scenario, utilize basic digital forensics techniques
- Network
- Endpoint
- Mobile
- Cloud
- Virtualization
- Legal hold
- Procedures
- Hashing
- Carving
- Data acquisition
5.0 Compliance and Assessment
Data privacy and protection is extremely important to avoid cyberattacks, compliance issues and reputational damage in the event of data breach. This domain focuses on data security controls and risk mitigation strategies, as well as the importance of policies, procedures and controls.
5.1 Understand the importance of data privacy and protection
- Privacy vs. security
- Non-technical controls
- Technical controls
5.2 Given a scenario, apply security concepts in support of organizational risk mitigation
- Business impact analysis
- Risk identification process
- Risk calculation
- Communication of risk factors
- Risk prioritization
- Systems assessment
- Documented compensating controls
- Training and exercises
- Supply chain assessment
5.3 Explain the importance of frameworks, policies, procedures, and controls
Conclusion
Getting to any destination, including a passing score on a certification exam, requires the use of a good road map. The CySA+ certification comprises four general knowledge domains which form the road you need to ride to earn this solid cybersecurity certification.